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Productivity is the property that finite prefixes of an infinite constructor term can be computed using a 
given term rewrite system. Hitherto, productivity has only been considered for orthogonal systems, 
where non-determinism is not allowed. This paper presents techniques to also prove productivity 
of non-orthogonal term rewrite systems. For such systems, it is desired that one does not have to 
guess the reduction steps to perform, instead any outermost-fair reduction should compute an infinite 
constructor term in the limit. As a main result, it is shown that for possibly non-orthogonal term 
rewrite systems this kind of productivity can be concluded from context-sensitive termination. This 
result can be applied to prove stabilization of digital circuits, as will be illustrated by means of an 
example. 

1 Introduction 

Productivity is the property that a given set of computation rules computes a desired infinite object. This 
has been studied mostly in the setting of streams, the simplest infinite objects. However, as already 
observed in [14J, productivity is also of interest for other infinite structures, for example infinite trees, or 
mixtures of finite and infinite structures. A prominent example of the latter are lists in the programming 
language Haskell [ 10], which can be finite (by ending with a sentinel " [] ") or which can go on forever. 

Existing approaches for automatically checking productivity, e.g., EJ[3l[l4]|, are restricted to orthog- 
onal systems. The main reason for this restriction is that it disallows non-determinism. A complete 
computer program (i.e., a program and all possible input sequences, neglecting sources of true randomness) 
always behaves deterministically, as the steps of computation are precisely determined. However, often a 
complete program is not available, too large to be studied, or its inputs are provided by the user or they 
are not specified completely. In this case, non-determinism can be used to abstract from certain parts by 
describing a number of possible behaviors. In such a setting, the restriction to orthogonal systems, which 
is even far stronger than only disallowing non-determinism, should be removed. An example of such a 
setting are hardware components, describing streams of output values which are depending on the streams 
of input values. To analyze such components in isolation, all possible input streams have to be considered. 

This paper presents an extension of the techniques in [ 14 ] to analyze productivity of specifications that 
may contain non-determinism. As in that work, the main technique to prove productivity is by analyzing 
termination of a corresponding context-sensitive term rewrite system |7|. Here however, overlapping 
rules are allowed and the data TRS is only required to be terminating, but it need not be confluent nor 
left- linear. This technique can be used to prove stabilization of hardware circuits, which have external 
inputs whose exact sequence of values is unknown. Thus, stabilization should be proven for all possible 
input sequences, which are therefore abstracted to be random Boolean streams, i.e., arbitrary streams 
containing the data values and 1. 

Structure of the Paper. In Section [2] we introduce proper specifications, which are the forms of rewrite 
systems studied in this paper. After that, in Section [3] the different notions of productivity are discussed. 
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For non-orthogonal specifications as studied in this paper, there exist both weak and strong productivity. 
We will motivate that strong productivity is the notion that we are interested in, as it does guarantee a 
constructor term to be reached by any outermost-fair reduction. The theoretical basis is laid in Section |4j 
proving our desired result that termination of a corresponding context-sensitive TRS implies strong 
productivity of a proper specification. Section [5] then applies this theory to an example hardware circuit, 
checking that for a given circuit the output values always stabilize, regardless of the sequence of input 
values. Finally, Section [6]concludes the paper. 

2 Specifications 

A specification gives the symbols and rules that shall be used to compute an intended infinite object. This 
section gives a brief introduction to term rewriting, mainly aimed at fixing notation. For an in-depth 
description of term rewriting, see for example [HUH- All symbols are assumed to have one of two 
possible sorts. The first sort d is for data. Terms of this sort represent the elements in an infinite structure, 
but which are not infinite terms by themselves. An example for data are the Booleans false and true 
(which are also written and 1), or the natural numbers represented in Peano form by the two constructors 
and succ. The set of all terms of sort d is denoted Td(Ed,Vd), where £j is a set of function symbols all 
having types of the form d m — > d and where is a set of variables all having sort d. The second sort is 
the sort s for structure. Terms of this sort are to represent the intended structure containing the data and 
therefore are allowed to be infinite. The set of all well-typed structure terms is denoted 7^(ErfU£ iS , V), 
where £. s is disjoint from £j and contains function symbols having types of the form d m x s n — > s and 
where V = V £ ; U V s for a set V s of variables all having sort s, which is disjoint from Vj. We define the set of 
all well-typed terms as T(Ld U £ s , V) = Td(£<d,Vd) U T s (^d U Ej, V) and denote the set of all ground terms, 
i.e., terms not containing any variables, by T{Ld U Ej) = T{Ld UE S , 0). A term t G 7~(Ej U E iS , V) of sort 
q G {d,s} is either a variable, i.e., t G Vq, or t = /(mi,. . .,u m ,t\,. . ,,t n ) with / G £ s of type d m x s" — > q 
(where n = if g = d), «i, . . . ,u m G 7rf(Erf, V</), and t\,...,t„ G 7s(E^ U L s , V). In the latter case, i.e., 
when t = f{u\ u m ,t\, ...,/„), we define the root of the term t as root(?) = /. 

A Term Rewrite System (TRS) over a signature £ is a collection of rules (£, r) G T(£, V) 2 such that 
^ ^ V and every variable contained in r is also contained in £. As usual, we write i—tr instead of (£, r). A 
term t G T(£, V) rewrites to a term t' G T(E, V) with the rule I — ^ r G 7£, denoted f -±t-+ r ,p t' at position 
p G Pos(f), if a substitution a exists such that ?| p = and f' = ? [ra] p . A position is as usual a sequence 
of natural numbers that identifies a number of argument positions taken to reach a certain subterm. The 
notation t[ra] p represents the term t in which the subterm at position p, that is denoted by t\ p , has been 
replaced by the term ra. This is the term r in which all variables have been replaced according to the 
substitution a, which is a map from variables to terms. It is allowed to only indicate the term rewrite 
system 1Z instead of the specific rule £ — > r or to leave out the subscripts in case they are irrelevant or clear 
from the context. The set of all normal forms of a TRS 1Z over a signature £ is denoted NF(7£) and is 
defined as NF(7£) = {t G T (I, V) | W G T (£, V) : t -fr n t'}. The set of ground normal forms NF gnd (^) 
additionally requires that all contained terms are ground terms, i.e., NF gn d(7£) = NF(1Z) n T(E). 

We still have to impose some restrictions on specifications to make our approach work. These 
restrictions are given below in the definition of proper specifications, which are similar to those of lfl4l . 

Definition 1. A proper specification is a tuple S = (Ld,^s,C,TZd,TZ s ), where £j is the signature of data 
symbols, each of type d'" — > d (then the data arity of such a symbol g is defined to be arj(g) = m), L s is the 
signature of structure symbols /, which have types of the shape d m xs" — >• s (and data arity ar ( /(/) = m, 
structure arity ar v (/) = n), C C £ s . is a set of constructors, IZd is a terminating TRS over the signature E^, 
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and 1Z S is a TRS over the signature WL S , containing rules f{u\,. ..,u m ,ti,...,t n )—>-t that satisfy the 
following properties: 

• / 6l s \C with arrf(/) = m, ar s (/) = n, 

• f(u\ , . . . , u m , t\ , . . . ,t n ) is a well-sorted linear term, 

• ? is a well-sorted term of sort s, and 

• for all 1 < i < n and for all p G Pos(f,) such that tf\ p is not a variable and root(?,| / ,) G £ s , it holds 
that root(?,-| p /) ^ C for all p' < p (i.e., no structure symbol is below a constructor). 

Furthermore, TZ S is required to be exhaustive, meaning that for every /Gl s \C with ar^(/) = m, 
ar *(/) = n > ground normal forms u\,...,u m G NF gnt i(7?. c /), and terms t\,...,t n G T(I^ US S ) such that for 
every 1 < / < n, ?, = ci(u[, . . . ,u' k ,t[ , . . . ,t[) with u'j G NF gn d(7^) for 1 < j < k = ar^c,) and c ; - G C, there 
exists at least one rule t — > r G 1Z S such that £ matches the term f{u\ , . . . ,u m ,t\ , . . . ,t n ). 

A proper specification S is called orthogonal, if IZd U 1Z S is orthogonal, otherwise it is called non- 
orthogonal. 



The above definition coincides with the definition of proper specifications given in [ 14] for orthogonal 
proper specifications^ We will illustrate the restrictions in the above definition later in Section |4] In 



the following, all examples except for Example 1 8 will be using the domain of Boolean streams, where 



C = {:} and D {0, 1} with ar ( /(0) = ar^(l) = and ar t /(:) = ar 4 (:) = 1. In these examples, only a data 
TRS IZd and a structure TRS 1Z S are given from which the remaining symbols in £j and £ 4 and their 
arities can be derived. If the data TRS IZd is not provided it is assumed to be empty. 



3 Productivity 

For orthogonal proper specifications, productivity is the property that every ground term t of sort s can, 
in the limit, be rewritten to a possibly infinite term consisting only of constructors. This is equivalent 
to stating that for every prefix depth k G N, the term t can be rewritten to another term t' having only 
constructor symbols on positions of depth k or less. 

Definition 2. An orthogonal proper specification S = (£j,r 4 ,C,7?.d,7£ 4 ) is productive, iff for every 
ground term t of sort s and every k G N, there is a reduction t — >^ u7 ^ t' such that every symbol of sort s 
in t' on depth less or equal to k is a constructor. 

Productivity of an orthogonal proper specification is equivalent to the following property, as was 
shown in fl4ll . 

Proposition 3. An orthogonal proper specification S = (Ld,T. s ,C,TZd,TZ s ) is productive, iff for every 
ground term t of sort s there is a reduction t — Kj^ u ^ t' such that root(?') G C. 

It was already observed in [4, 2 ] that productivity of orthogonal specifications is equivalent to the 
existence of an outermost-fair reduction computing a constructor prefix for any given depth. Below, we 
give a general definition of outermost-fair reductions, as they will also be used in the non-orthogonal 
setting. 

'To see this, one should observe that a defined symbol cannot occur on a non-root position of a left-hand side. This holds 
since otherwise the innermost such symbol would have variables and constructors as structure arguments and data arguments that 
do not unify with any of the data rules (due to orthogonality), which therefore are normal forms and can be instantiated to ground 
normal forms. Thus, exhaustiveness would require a left-hand side to match this term when instantiating all structure variables 
with some terms having a constructor root, which would give a contradiction to non-overlappingness. 
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Definition 4. 

• A redex is a subterm t\ p of a term t at position p G Pos(?) such that a rule ^ — > r and a substitution 
o exist with f| p = la. The redex f| p is said to be matched by the rule I — ^ r. 

• A redex is called outermost iff it is not a strict subterm of another redex. 

• A redex t\ p = la is said to survive areduction step t — >£>^. r ',q t' if p\\<J,orif p <q and t' = t[£a'] p 
for some substitution a' (i.e., the same rule can still be applied at p). 

• A rewrite sequence (reduction) is called outermost-fair, iff there is no outermost redex that survives 
as an outermost redex infinitely long. 

• A rewrite sequence (reduction) is called maximal, iff it is infinite or ends in a normal form (a term 
that cannot be rewritten further). 

For non-orthogonal proper specifications, requiring just the existence of a reduction to a normal form 
(or to a constructor prefix of arbitrary depth) does not guarantee the computation to reach it, due to the 
possible non-deterministic choices. This can be observed for the term maybe in the following example. 
Example 5. Consider a proper specification with the TRS TZ S consisting of the following rules: 

maybe — > : maybe random — > : random 

maybe — > maybe random — > 1 : random 

This specification is not orthogonal, since the rules for maybe as well as those for random overlap. 
We do not want to call this specification productive, since it admits the infinite outermost- fair reduction 
maybe — > maybe —)■... that never produces any constructors. However, there exists an infinite reduction 
producing infinitely many constructors starting in the term maybe, namely maybe — > : maybe — > : : 

maybe — > When only considering the rules for random then we want to call the resulting specification 

productive, since no matter what rule of random we choose, an element of the stream is created. 

Requiring just the existence of a constructor normal form is called weak productivity in |4l|2]. We 
already stated above that this is not the notion of productivity we are interested in. The one we are 
interested in is strong productivity, which is also defined in EH3, since it requires all reductions that 
make progress on outermost positions to reach constructor normal forms. 

Definition 6. A proper specification S is called strongly productive iff for every ground term t of sort s 
all maximal outermost-fair rewrite sequences starting in t end in (i.e., have as limit for infinite sequences) 
a constructor normal form. 

It was observed in [4, 2] that weak and strong productivity coincide for orthogonal (proper) specifica- 
tions. However, for non-orthogonal (proper) specifications this is not the case anymore. The rules for 
maybe in Example[5]are not strongly productive, since they allow the infinite outermost-fair reduction 
maybe — > maybe -».... However, these rules are weakly productive, since any ground term can be 
rewritten to an infinite stream containing only elements after some finite prefix. For example, the ground 
term 1 : maybe can be rewritten to the infinite stream 1:0:0: 

An example of a non-orthogonal proper specification that is both strongly and weakly productive 
are the rules for random in Example [5] which always produce an infinite stream. In this case, the 
restriction to outermost-fair reductions is not needed. However, if we add the rule \d(xs) — > xs and 
replace the rule random — > 1 : random by the rule random — > id (1 : random), then the infinite reduction 
random — > id ( 1 : random) — > id ( 1 : id ( 1 : random)) — > ... exists. This reduction is not outermost-fair 
since the outermost redex id(. . .) survives infinitely often. When restricting to outermost-fair reductions, 
then indeed an infinite stream of Boolean values is obtained for every such reduction, so this is a strongly 
productive proper specification, too. Note that strong productivity implies weak productivity, so the 
example is also weakly productive. 
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4 Criteria for Strong Productivity 

For orthogonal proper specifications, it is sufficient to just consider reductions that create a constructor 
at the top, as stated in Proposition [3] We will show next that this is also the case for non-orthogonal 
proper specifications. However, in contrast to [14J, here we have to consider all maximal outermost-fair 
reductions, instead of just requiring the existence of such a reduction. 

Proposition 7. A proper specification S = (T, c i,'L s ,C,'R.d,'R-s) is strongly productive iff for every maximal 
outermost-fair reduction to -^-R d wR, h -^"R. d vjTl s ■ ■ ■ with to being of sort s there exists G N such that 
root(^) G C. 

Proof. The "only if'-direction is trivial. For the "if'-direction, we show inductively that for every depth 
z G N and every maximal outermost-fair reduction p = to — >^ h — > Pl . . . there exists an index j G N such 
that for all positions p G Pos(fy) of sort s with \p\ < z„ root(? ; | p ) G C. 

For z = 0, the index j can be set to 0, thus here the claim trivially holds. Otherwise, we get that 
an index k G N exists such that root(fy) G C. Let tk = c(u[,. . . ,u' m ,t[,. ■■,t' n ) with c G C. Because c is 
a constructor, we know that pi > e for all / > k. Define P r = {/?■ | p, = (m+r).p-} for 1 < r < n (i.e., 
the positions in the maximal outermost-fair reduction that are occurring in structure argument r). Then, 
for 1 < r < n and P r = {p r Q ,p\, . . . } the reduction t' r = t r o —*- p r t r \ — ^ ... is also a maximal outermost- 
fair reduction, otherwise an infinitely long surviving outermost redex would also be an infinitely long 
surviving outermost redex of the reduction p. By the induction hypothesis for z — 1 we get that indices 
j r for 1 < r < n exist such that root(t r j r \ p ) G C for all positions p G Pos(? r jJ with \p\ < z — 1. Since all 
these reductions were taken from the original reduction, we define j = k + #d-red + Yd=\ ji> where #d-red 
denotes the number of reductions performed in the data arguments of the constructor c such that pj = p r - r 
for the last r. This shows that the initial reduction p has the form to — >* h = c{u\ , . . . , u' m , t[ , . . . , t'„) — >* 
c(u'{, . . .ju'Jnj", . . . ,t") =tj+i, where t r j r — >* t" for every 1 < r < n. Since there are only constructors in 
t r j r for depths 0, ... ,z — 2, these constructors are still present in t' r '. This proves the proposition, since 
c G C and thus for all positions p G Pos(f y ) of sort s with \p\ < z we have root(tj\ p ) G C. □ 

This characterization of strong productivity will be used in the remainder of the paper. Note that 
it is similar to the requirements for infinitary strong normalization SN°° observed in |[T2ll . where it is 
found that for left-linear and finite term rewrite systems, SN°° holds if and only if every infinite reduction 
only contains a finite number of root steps. Thus, it could seem possible to define strong productivity of 
proper specifications by requiring that every reduction starting in a finite ground term is infinitary strongly 
normalizing, i.e., SN°° holds for the relation — V-r^uHs H 7~(X^ U £ 4 ) 2 . However, this is not the case, as the 
following example shows. 

Example 8. Consider the proper specification containing the following TRS 1Z S : 

a —> f (a) f (x : xs) —> x: xs 

This TRS has the property SN°°, intuitively because either the symbol f remains at the root position 
and can never be rewritten again (in case the first rule is applied), or the constructor : is created at the root. 
Formally, this can for example be proven by the technique presented in [12]: Let Z# = El±) {g# \ g G £}, 
where £ = {0, 1, :, a, f} is the signature of the specification. Then we choose the finite weakly monotone £# 
algebra ({0, 1,2}, [•], _L, >,>), where _L = 0, [0] =0, [1] =0, [a] = 1, [f](n) =n, [:](/»,«) = rmn{m+n,2}, 
[a#] = 2, lf#](n) = 1, and [:#](m,n) = for m,n G {0, 1,2} and > and > are the natural comparison 
operators on the numbers {0,1,2}. It is easy to check that this algebra is indeed weakly monotone 
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(i.e., that > is well-founded, > • > C > C >, and for every g G £#, the operation [g] is monotone with 
respect to >). Additionally, the requirements of the combination of lfl2l Theorem 5 and Theorem 6] 
are satisfied, i.e., {0, 1,2} is finite, > is transitive, a > b implies a > b or a = b, a > _L = for all 
a,b G {0, 1,2}, and [£a] > [ra] and [£#o] > [r#o] for all £ — > r G 1Z S and all substitutions a, where 
g(t\,. . . ,tk)# = g#(h, ■ ■ ■ ,tk)- This proves SN°° of — which especially entails SN°° of the relation 
-^n s nT(L d uL s ) 2 . 

However, the above proper specification is not strongly productive, since the infinite outermost- 
fair reduction a — ^ f (a) — >n s f (f(a)) — >-ji s . . ., continued by repeatedly reducing the symbol a, never 
produces any constructors. 

The above example shows that even though we require exhaustiveness of proper specifications, this 
exhaustiveness only refers to constructor terms, i.e., the objects we are interested in, and not to arbitrary 
terms. A similar observation, namely that top termination is not equivalent to productivity, was already 
made in ifTSI . 

A first technique to prove strong productivity of proper specifications is given next. It is a simple 
syntactic check that determines whether every right-hand side of sort s starts with a constructor. For 
orthogonal proper specifications, this was already observed in fl4l . It has to be proven again since here we 
consider strong productivity, which requires all possible outermost-fair reductions to reach a constructor 
normal form, instead of weak productivity as in lfT4l . for which only a single reduction to a constructor 
normal form needs to be constructed. 

Theorem 9. Let S = (£j,£ v ,C,7?.rf,7^.. v ) be a proper specification. If for all rules £ —> r G 1Z S we have 
root(r) E C, then S is strongly productive. 

Proof. Let p = to —> Po t\ — > pi ... be a maximal outermost-fair reduction and let to = f(u\ , . . . , u' m , t [ , . . . , t'„ ) . 
If / G C we are done, so we assume / E L s \ C and perform structural induction on to to prove that 
root(^) e C for some k £ N. 

From the induction hypothesis we get that for every 1 < i < n and every maximal outermost-fair 
reduction t\ = tj$ — > t^i — > . . . there exists an index ki £ N such that root(f ! ^ ( ) G C. 

Assume that for all j G N, pj ^ £. As in the proof of Proposition |7j we therefore again obtain maximal 
outermost-fair reductions t[ — > . . ., thus we get indices kj G N such that root(? ; - £.) G C, as explained above. 
This makes our reduction p have the shape to = f(u\ , . . . , u' m , t[ , . . . , t' n ) — >* f(u'[, . . . , u" m , t", . . . , t'') = tj 
for some j G N, where u'(, . . . , u" m G NF gnt i(7^) (since the reduction p is maximal outermost-fair and TZj 
is terminating) and tj / <i — >* t" , thus also root(7 ( -') G C. Because 1Z S is exhaustive, we get that tj contains a 
redex at the root position £, which of course is outermost. This gives rise to a contradiction to p being 
outermost fair, as this outermost redex survives infinitely often, because pj ^ e for all j G N. Therefore, 
pj = e for some jsN and the reduction has the shape to — >* tj — > e ra, where the last step is with respect 
to some rule £ — > r G 1Z S . By the assumption on the shape of the rules in 1Z S , we have root(r) G C, hence 
also root(ra) G C, which proves productivity according to Proposition [7] □ 

This technique is sufficient to prove strong productivity of the proper specification consisting of the 
two rules for random in Example [5] since both have right-hand sides with the constructor : at the root. 
However, it is easy to create examples which are strongly productive, but do not satisfy the syntactic 
requirements of Theorem |9j 

Example 10. Consider the proper specification with the following TRS 1Z S : 



ones — > 1 : ones 
finZeroes — > 0:0: ones 



finZeroes — > : ones 
finZeroes — > : : : ones 



f (0 : xs) f (xs) 



f(l:xs) l:f(xr) 
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The constant finZeroes produces non-deterministically a stream that starts with one, two, or three 
zeroes followed by an infinite stream of ones. Function f takes a binary stream as argument and filters out 
all occurrences of zeroes. Thus, productivity of this example proves that only a finite number of zeroes 
can be produced. This however cannot be proven with the technique of Theorem[9] since the right-hand 
side of the rule f (0 : xs) — > f (pes) does not start with the constructor :. 

Another technique presented in |[T4ll to show productivity of orthogonal proper specifications is 
based on context-sensitive termination Q. The idea is to disallow rewriting in structure arguments of 
constructors, thus context-sensitive termination implies that for every ground term of sort s, a term starting 
with a constructor can be reached (due to the exhaustiveness requirement). As was observed by Endrullis 
and Hendriks recently in Q, this set of blocked positions can be enlarged, making the approach even 
stronger. 

Below, the technique for proving productivity by showing termination of a corresponding context- 
sensitive TRS is extended to also be applicable in the case of our more general proper specifications. This 
version already includes an adaption of the improvement mentioned above. 

Definition 11. Let5 = (Ld,L s ,C,lZd,7l s ) be a proper specification. The replacement map jjts :2^U£ 4 — ^ 
2 N is defined as follows: 

• Ms(/) = {!,•••, ar d (/)},if/GE d UC 

• Ms(/) = {!>•■ • -.^dif) + ar 5 (/)}\{l < i < ar d (/) + ar s (/) | ?|,isa variable for all r G 1Z S and 
all non-variable subterms t of I with root(r) = f}^\ otherwise 

In the remainder, we leave out the subscript S if the specification is clear from the context. The 
replacement map /I is used to define the set of allowed positions of a non- variable term t as Pos^ (? ) = {e} U 
{i.p | i G /^(root(?)), p G Pos^f/I,-)} and the set of blocked positions of t as blocked^ (f) =Pos(f) \Pos jU (f). 
Context-sensitive rewriting [7 ] then is the restriction of the rewrite relation to those redexes on positions 
from Pos^,. Formally, we have t A^ r p t' iff t -^i_> rp t' and p G Pos^(f) and we say a TRS 1Z is 
pi-terminating iff no infinite A^-chain exists. 

The replacement map jig is canonical [8] for the left-linear TRS 1Z S , guaranteeing through the second 
condition of the above Definition 1 1 that non- variable positions of left-hand sides are allowed. In that 
definition, the replacement map [1$ is extended to the possibly non-left-linear TRS 1Z c i U 1Z S by allowing 
all arguments of symbols from L c /. 

Our main result of this paper is that also for possibly non-orthogonal proper specifications, jJ.- 
termination implies productivity. 

Theorem 12. A proper specification S = E 5 , C, TZd, 1Z S ) is strongly productive, iflZdUlZ s is /i^- 
terminating. 

Before proving the above theorem, we will show first that it subsumes Theorem [9] Intuitively, this 
holds because structure arguments of constructors are blocked, and if every right-hand side of 1Z S starts 
with a constructor then the number of allowed redexes of sort s in a term steadily decreases. 

2 Note that in [5 |, Endrullis and Hendriks consider orthogonal TRSs and also block arguments of symbols in 1.^ which only 
contain variables. This however is problematic when allowing data rules that are not left-linear. Example: 

TL S : f(l) -> f(d(0,d(l,0))) f(0) -> : f (0) 

TZ d : d(x,x) -> 1 d(0,x) -> d(l,x) -> 

Here, the term f(d(0,d(l,0))) can only be /i-rewritten to the term f(0) (which then in turn has to be rewritten to : f(0)) if 
defining n(d) = {1}, since the subterm d(l,0) can never be rewritten to 0. However, the example is not strongly productive, 

as reducing in this way gives rise to an infinite outermost-fair reduction f (d(0, d(l,0))) — ► f (d(0,0)) — > f (1) — > Blocking 

arguments of data symbols can only be done when TZ^ is left-linear. 

3 The requirement of t not being a variable ensures that root(f) is defined. 
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Proposition 13. Let S = (H ( j,'L s ,C,lZd,7l s ) be a proper specification. If for all rules £—}r£lZ s we have 
root(r) £ C, then IZdUlZs is il$ -terminating. 

Proof. Let t £ T(Ld U£ s , V) be well-typed. If t has sort d, then all subterms must also be of sort d, as 
symbols from only have arguments of that sort. Hence, rewriting can only be done with rules from IZj, 
which is assumed to be terminating. 

Otherwise, let t be of sort s and assume that t starts an infinite /i-reduction t = to A~e ^. ro , Po 

t\ A^j-^ij?] h ^h^n-n We define Pos^ d '(f') = {p £ Pos M (V) \t'\ p is a redex of sort s} for 

any term t' £ T(EdUE s ,V). It will be proven that in every step tj — >^ ruPi t{ + i of the infinite re- 
duction, |PosJf d -'(f,-+i)| < |Pos„ dl (f ; -)| and that for steps with i\ -> n £ 1Z S , we even have |Pos^ ds (//+i)| < 



Pi 



|Pos^f ds (fi)|. To this end, case analysis of the rule £j — > r\ is performed. If £{ — > rj £ IZj, then ?, = f;[^,-Oj 
andf,- + i = ti[ri<Ji] Pi for some substitution a,. Because l u r{ £ T(X^, V), |PosJf ds (A'Oi) | = |Pos^ edl (r,a ; )| =0 
since all symbols in have arguments of sort d. Thus, Pos^ eds (f, + i) = Pos^f 1 ' (?,•). In the second 
case, l[ — > ri £ 1Z S . Let ti = tj[liOj\ Pi and = a,-] Pi for some substitution ay. Then, Pos^ dt (f,) = 
Pos r ^ ds (ti[z] Pi ) &{pi.p | p £ Pos^^^lp,)} for any variable z £ V of sort s. For t i+ \ we observe that 
Posjf^+i) = Posf itiina^,) = Pos r ; d ^[z] P ,) W {/>,-./> | /> G PbsJf^MwU)} for any variable z £ 
V of sort s. Here, it holds that Posjf^lp,) = Posjf^a,) 3 e, therefore p t £ Posjf^f,-). Further- 
more, PosjJ dl {ti[riGj\ Pi \ Pi ) = PosJ i edj '(r,-ay) = 0, since root(r,) £ C by assumption, hence /i(root(r,)) = 
{1, . . . , ar c /(root(r,))} and because symbols from only have arguments of sort d. Thus, PosjJ d '(?,- + i) C 
Pos^ (ti). 

Combining these observations, we therefore only have finitely many reductions with rules from 1Z S in 
the infinite reduction. Thus, an infinite tail of steps with rules from IZd exists. This however contradicts 
the assumption that 1Z C / is terminating, hence no infinite ii -reduction can exist which proves ii -termination 
ofJldUKs. □ 

Hence, we could restrict ourselves to analyzing context-sensitive termination only. However, the 
syntactic check of Theorem [9] can be done very fast and should therefore be the first method to try. 

In order to prove Theorem [12] we will show that a maximal outermost-fair reduction that never reaches 
a constructor entails an infinite ii -reduction. For this purpose we need the following lemma, which shows 
that in every ground term not starting with a constructor there exists a redex that is not blocked by the 
replacement map ii. 

Lemma 14. Let S = 7*^/, 7£. s ) be a proper specification. For all ground terms t of sort s with 

root(?) ^ C there exists a position p £ Pos^(?) such that t — > p . 

Proof. Let t = f(u\,. ..,u m ,t\,...,t n ). We perform structural induction on t. If Uj — >y for some 1 < i < m 
with i £ }i{f), then t —>i, p i and i.p' £ Pos^(f) since arguments of data symbols are never blocked. Thus, 
we assume in the remainder that w; £ NF gn d(7^j) for all 1 < i < m with i £ }i{f). If root(^) £ C for 
all 1 < i < n, i £ }i{f), then t — > e by the exhaustiveness requirement (and because all arguments uj, tj 
with j ^ £t(/) are being matched by pairwise different variables, due to left-linearity). Otherwise, there 
exists 1 < i < n, i £ n(f) such that root(^) ^ C. By the induction hypothesis we get that ?, — > p > for some 
p' £ Pos^(ti). Therefore, we also have i.p' £ Pos^(f) and t — hy. □ 



A second lemma that is required for the proof of Theorem 12 states that a specialized version of 
the Parallel Moves Lemma [ 1 [ Lemma 6.4.4] holds for our restricted format of term rewrite systems. 
It allows us to swap the order of reductions blocked by ii with reductions not blocked by ii. To 
formulate the lemma, we need the notion of a parallel reduction step t —>pt' ', which is defined for 



Matthias Raffelsieper 



61 



a set P = {pi,. . . ,pn\ Q Pos(f) such that for every pair 1 < i < j < n we have pt \\ pj and a term 
t = t[i\0\] P{ . . . [£„On]p„ as t' = t[riOi] Pl . . . [r n o n ]p„ for rules £j — > r[ G TZd U 7£ s and substitutions <r,-, 
1 < / < n. 

Lemma 15. Let S = (£d,r i ,C,7£d,7£ v ) &e a proper specification. For all ground terms t,t' ,t" and 
positions p E Pos^ (?'), P C blocked^ (f ) wzf/z t —>pt' — >(-> r , p t", a term i and a set P 1 C Pos(f) exijf swc/z 
f/iaf f — >t-+ r ,p i — >pi t". 

Proof. Let P = {p 1 ,..., p k } C blocked^?). Then t = t[£ 1 o 1 ] Pi ... [4^^ -^pt[nOi] pi . . . [r k a k ] Pk = t' = 
t' [£o] p for some rules l\ — >■ r\ , . . . ,4 — >■ r^i — > r e TZ^VJlZs and substitutions Oi, . . . , afc, <y. W.l.o.g., 
let < j < be such that for all 1 <i < j and || p for all j < i < k. Since G Pos^(f') and 

Pi S blocked^ (?'), it must hold that p < pi for all 1 < / < j. Therefore, the term t' must have the shape 
t' = t [£a[noi] Pl -p ■ ■ ■ [rj<Jj] Pj - P ] p [r j+1 a j+1 ] P]+1 . . . [r k o k ] Pk . 

Ifi—trE TZd, then it must hold that j = 0, since arguments of data symbols are never blocked. Hence, 
the lemma trivially holds in this case, as all reductions are on independent positions. 

Otherwise, £ ^ r£ TZ S . Because the positions p\ for 1 < i < j are blocked, it must be the case that they 
are either below a variable in all rules containing a certain symbol / (hence, they are also below a variable 
in £), or they are below a structure argument of a constructor c € C. By requirement of specifications, if a 
constructor is present on a left-hand side of a rule, all its structure arguments must be variables. Thus, we 
conclude that all positions p,, and thereby all terms r^a,-, are below some variable of £ in t'. Additionally, 
the left-hand side £ is required to be linear, therefore there exist pairwise different variables xi,... ,Xj, 
contexts Ci , . . . ,Cj, and a substitution a' being like a except that (t'(x,) = x,- for 1 < i < j such that: 

t' = t [£a'{xv.=Ci [noi],. . . ,Xj:=Cj[rjOj]}] p [r j+ iO j+l ] Pj+l . . . [r k o k } Pk 

-^ p t[rc'{x l :=C l [r l c l \,...,xf=Cj[r j Oj]}} p [r j+l O j+1 } Pj+l . . .[r k o k ] Pk = t" 

We conclude that p € Pos^(f), as all reduction steps in t A-p t' are either below or independent of p. 
Thus: 

t = t [l&{xv.=Ci [lid],. . . ,Xj:=Cj[£jGj]}] p [£ j+1 Gj +1 ] Pj+1 . . . [£ k o k ) Pk 
^ p t[ra , {x l :=C 1 [£ l a l ],...,Xj:=Cj[£jOj}}} p [£j + \O j+l ] P]+{ ...[£ k o k ] Pk = t 
t [ra'{xi:=Ci [nffi], . . . ,xy=Cj[rjOj]}} p [r j+ iO j+1 ] Pj+1 . . . [r k o k ] Pk = t" 

In the second reduction step, the positions of the terms in t constitute the set P' C Pos(f). □ 

We are now able to prove our main theorem, showing that context-sensitive termination implies 
productivity of the considered proper specification. 



Proof of Theorem 12 Assume S = C,7^,7£ s ) is not strongly productive. Then, a maximal 

outermost-fair reduction sequence p = to — > t\ — > .. . exists where for all k G N, root(^) ^ C. 

This reduction sequence is infinite, since otherwise it would end in a term t m for some m G N with 



root(7 m ) ^ C. Then however, according to Lemma 14 the term t m would contain a redex, giving a 
contradiction to the sequence being maximal. 

The sequence might however perform reductions that are below a variable argument of a constructor 
or below a variable in all left-hand sides of a defined symbol. These reduction steps are not allowed when 
considering context-sensitive rewriting with respect to }i. Such reductions however can be reordered. 



First, we observe that there is always a redex which is not blocked, due to Lemma 14 thus there is also an 



outermost such one. Because the reduction is outermost-fair, and because reductions below a variable 



cannot change the matching of a rule, as shown in Lemma 15 such redexes must be contracted an infinite 
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number of times in the infinite reduction sequence p. Thus, we can reorder the reduction steps in p: If 
there is a (parallel) reduction below a variable before performing a step that is allowed by jti, then we 



swap these two steps using Lemma 15 Repeating this, we get an infinite reduction sequence p' consisting 
of steps which are not blocked by ju. Thus, this is an infinite 11 -reduction sequence, showing that TZd U 1Z S 
is not jj. -terminating, which proves the theorem. □ 



The technique of Theorem 12 i.e., proving jj. -termination of the corresponding context-sensitive TRS, 



is able to prove strong productivity of Example [TO] By Definition [TTJ the corresponding replacement 
map ;U is defined as ju(0) = ju(l) = ^(ones) = /^(finZeroes) = and ju(f) = = {1}, i.e., rewriting 
is allowed on all positions except those that are inside a second argument of the constructor :. Context- 
sensitive termination of the TRS together with the above replacement map ii can for example be shown 



by the tool AProVE [6]. Thus, productivity of that example has been shown according to Theorem 12 



Also, strong productivity of the proper specification consisting of the rules random — > : random, 



random — > id(l : random), and id (as) — » xs can be proven using Theorem 12 and the tool AProVE 
where ju(0) = ju(l) = }l (random) = ju (id) = and ju(:) = {1} according to Definition 11 Note that for 
this example, one could also have used ju (id) = {1}, i.e., here the removal of argument positions in the 
second item of Definition [TT]is irrelevant. 

This is not the case in the next example, showing that this improvement, which was inspired by 
and blocks more argument positions, allows to prove productivity of specifications where this would 
otherwise not be possible. 

Example 16. Consider the following proper specification, given by the TRS 1Z S : 

a — > f (1 : a, a) f(x : xs,ys) — >■ x:ys 

f(f (xs,ys),zs) -> f(xs,f(ys,zs)) 



When defining ju(l)=ju(a)=0 and ju(:) = {1} by the first case of Definition 11 and defining 



ju(f) = {1,2} (i.e., not removing any argument positions, as was done in the orthogonal case in 031), 
then an infinite ii -reduction exists: a A f(l : a, a) A f(l : a,f(l : a, a)) A . . . 

This reduction can be continued in the above style by reducing the underlined redex further, which will 
always create the term a on an allowed position of the form 2". However, such positions are not required 
for any of the f -rules to be applicable; for both rules it holds that all subterms of left-hand sides that start 
with the symbol f, which are the terms f (x : xs,ys), f(f(xs,ys),zs), and f(xs,ys), have a variable as second 
argument. Thus, according to Definition [TT] the replacement map \i' can be defined to be like ji, except 
that ju'(f) = {!}■ With this improved replacement map, //-termination of the above TRS can for example 



be proven by the tool AProVE [6J, which implies productivity by Theorem 12 



Checking productivity in this way, i.e., by checking context-sensitive termination, can only prove 
productivity but not disprove it. This is illustrated in the next example. 

Example 17. Consider the proper specification with the following rules in 1Z S : 

a — > f(a) f(x:xs) — > x : f (xs) f(f(xs)) — > 1 : xs 

Starting in the term a, we observe that an infinite ii -reduction starting with a — > f (a) exists, which can 
be continued by reducing the underlined redex repeatedly, since ju(f) = {1}. Thus, the example is not 
ii -terminating. However, the specification is productive, as can be shown by case analysis based on the 
root symbol of some arbitrary ground term t. In case root(f) = :, then nothing has to be done, according 
to Proposition |7J Otherwise, if root(?) = a, then any maximal outermost-fair reduction must start with 
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t = a — > f (a), thus we can reduce our analysis to the final case, where root(?) = f . In this last case, t = f (f'). 
Due to the rules for the symbol f , we have to perform a further case analysis based on the root symbol of 
t' . If root(f') = :, i.e., t' = u : t" for some terms u and t", then this constructor cannot be reduced further. 
Also, t = f (u : t") is a redex, due to the second rule. Hence, in any maximal outermost-fair reduction 
sequence this redex must eventually be reduced using the second rule, which results in a term with the 
constructor : at the root. For root(?') = a we again must reduce t = f(a) — > f(f(a)). Finally, in case 
root(f') = f, we have two possibilities. The first one occurs when the term t' is eventually reduced at the 
root. Since root(f') = f, this has to happen with either of the f-rules, creating a constructor : which, as we 
already observed, must eventually result in the term t also being reduced to a term with the constructor : 
at the root. Otherwise, in the second possible scenario, the term t' is never reduced at the root. Then 
however, an outermost redex of the shape f (f(f")) exists in all terms that t can be rewritten to in this way, 
thus it has to be reduced eventually with the third rule. This again creates a term with constructor : at the 
root. Combining all these observations, we see that in every maximal outermost-fair reduction there exists 
a term with the constructor : as root symbol, which proves productivity due to Proposition [7] 

In the remainder of this section we want to illustrate the requirements of proper specifications in 
Definition [T] namely that the TRS 1Z S should be left-linear and that structure arguments of constructors in 
left-hand sides must not be structure symbols, i.e., they must be variables. We begin with an example 
specification that is not left-linear and not productive, but /i-terminating. 

Example 18. We consider the non-proper specification S = (Zj ,£.v,C ,lZd ,1Z S ) with = TZj = 0, C = 
{a,c} C £ v = {a, b,c,f}, and the following rules in 1Z S which also imply the arities of the symbols: 

b — > a f(a) — > a f(c(x,x)) ->■ f(c(a,b)) f(c(x,y)) ->■ c(x,y) 

The example specification is not productive, as it admits the infinite outermost-fair reduction sequence 

f(c(a,a)) — >• f(c(a,b)) — > f(c(a,a)) — >• However, the TRS is /J. -terminating, as shown by the tool 

AProVE lH, where jU(f) = {1} and ju(a) = ju(b) = /x(c) = 0. This is the case because rewriting below 
the constructor c is not allowed, thus the second step of the above reduction sequence is blocked. The 
reason why Theorem [T2| fails is the reordering of reductions, since in this example a reduction of the form 
t -% P t' -+i-+ r ,pt" ( here: f (c(a,b)) f(c(a,a)) -^ f ( c (^))^f(c(a,b)) i e f ( c ( a 5 b ))) doe s not imply that 

t -^e^ r , p (in the example, f(c(a,b)) Af(c(jc^))->f(c(a,b)),e)> i- e -, Lemma 15 does not hold. 

The next example illustrates why non-variable structure arguments of constructors are not allowed in 
left-hand sides. 

Example 19. Let 1Z S contain the following rules: 

ones —J- 1 : ones f (x : y : xs) — > f(y : xs) f (x : xs) — > x : xs 

Here, we have non-productivity of the corresponding non-proper specification due to the infinite 
outermost-fair reduction sequence f(ones) — h f(l : ones) — h.2 f(l : 1 : ones) — » e f(l : ones) — > 
however the second step is not allowed when performing context-sensitive rewriting, since ju(:) = {1}. 
Using the tool AProVE [6], context-sensitive termination of the above TRS together with the replacement 
map pL can be shown. 

We can however unfold this example (cf. BUS), which makes the resulting specification proper, by 
introducing a fresh symbol g and replacing the two rules for f with the following three rules: 

f(x:xs) — > g(x,xs) g(x,y:xs) —¥ f (y : xs) g(x,xs) —> x:xs 

Then, in the corresponding context-sensitive TRS, we have jU(f) = jU(:) = {1}, jU(g) = {2}, and 
/I (ones) = ju(0) = ju(l) = 0. This context-sensitive TRS is not /I -terminating, since it admits the infinite 
reduction f (ones) — >\ f(l : ones) A e g(l,ones) A2 g(l,l : ones) A e f(l : ones) A 
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Figure 1: Example hardware circuit 



It should be noted that the restriction for left-hand sides to only contain variables in constructor 
arguments was already made in |[T4l . This is the case because matching constructors nested within 
constructors would otherwise invalidate the approach of disallowing rewriting inside structure arguments 
of constructors. 



5 Application to Hardware Circuits 

Proving productivity can be used to verify stabilization of hardware circuits. In such a circuit, the inputs 
can be seen as an infinite stream of zeroes and ones, which in general can occur in any arbitrary sequence. 
Furthermore, a circuit contains a number of internal signals, which also carry different Boolean values 
over time. 

To store a value over time, feedback loops are used. In such a loop, a value that is computed from 
some logic function is also used as an input to that function. Thus, it is desired that such values stabilize, 
instead of oscillating infinitely. 

To check this, productivity analysis can be used. We will illustrate this by means of an example, that 
will be considered throughout the rest of this section. 

Consider the circuit shown in Figure [T] which was constructed from the transistor netlist of the cell 
SDFF_X1 in the Nangate Open Cell Library [9] and which implements a scanable D flip-flop. This circuit 
first selects, based on the value of the input SE (scan enable), either the negation of the data input D (in 
case SE=0) or the negation of the scan data input SI (in case SE=1). This value, called next in Figure[TJ 
is then fed into another multiplexer (mux), for which a feedback loop exists. This mux is controlled by the 
negation of the clock input CK. If the clock is then the negated value of next is forwarded to the output 
nl, otherwise the stored value of nl is kept. Similarly, n2 implements such a latch structure, however this 
time the latch forwards the negation of the nl input in case CK is 1, and it keeps its value when CK is 0. 
The outputs Q and QN are computed from this stored value n2. 

Note that a lot of the negations are only contained to refresh the signals, otherwise a high voltage 
value might decay and not be detected properly anymore. 

From the example circuit, we create a proper specification, where the data symbols consist of the two 
Boolean values and 1 and the symbol not used for negating: 



not(0) -> 1 



not(l) -> 
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rand 
rand 

next(0 : ses,d : ds,si : sis 
next(l : ses,d : ds,si : sis 

nl(0 : cks,nextv : nexts,nll 
nl(l : cks,nextv : nexts,nll 
nl' (cks,nexts, 0,0 
nl' (cks,nexts, 1,1 
nl'(c&.?,«ex?.s, 0, 1 
nl' (cks,nexts, 1,0 

n2(0 : cks,nlv : nls,n2l 
n2(l : cks,nlv : nls,n2l 
r\2'(cks,nls,Q,0 
r\2' (cks,nls, 1, 1 
n2' (cks,nls, 0,1 
n2'(cks,nls, 1,0 

q(n2v : 722s 



: rand 

1 : rand 

not(J) : next^es,^,.™) 
not(i/) : next^es,^,.™) 

not(«ex?v) : nl(cfa,«exto, not(wexfv)) 
nl' (cks,nexts, nil, not(not(ni/))) 

: x\\{cks,nexts, 0) 

1 : nl(cfcj,ne;rtJ, 1) 
nl'(cfa,«exf5, 1, not(not(l))) 
nl'(cAcs,ne;efs,0, not(not(0))) 

n2' (cks,nls,n2l, not(not(«2/))) 
not(nlv) : x\2{cks,nls, not(niv))) 

: n2(c^,ni5,0) 

1 : n2(cks,nls, 1) 
r\2'(cks,nls, l,not(not(l))) 
n2 / (cfa,nij,0,not(not(0))) 

not(n2v) : q(n25) 



qn(^v : 175) — > not(^v) : qn(gs) 



Figure 2: Structure TRS 1Z S for the circuit shown in Figure [l] 



The structures we are interested in are infinite streams containing Boolean values, thus the set of 
constructors is C = {:}. The structure TRS TZ S is shown in Figure [2j 

It should be remarked that in the shown rules, some simplifications regarding the clock input CK have 
been made. The inverters for the clock have been removed, and the two muxes that output the signals nl 
and n2 are provided with decoupled clock values. 

The defined function symbols next, nl, n2, q, and qn reflect the wires and output signals with the 
corresponding name in Figure [T] The constant rand is added to abstract the values of the inputs. It 
provides a random stream of Boolean values, thus it is able to represent any sequence of input values 
provided to the circuit. The rules of the symbol next implement the mux selecting either the next data 
input value d in case the next scan enable input value se is 0, or the next scan input value si in case se is 1 . 

The output of nl is also computed by a mux, however, here the previous output value has to be 
considered due to the feedback loop. We break the cycle by introducing a new parameter nil that stores 
the previously output value. Then, the next value of the stream at nl is computed from the next value of 
the clock ck, the input stream nextv : nexts coming from the previously described multiplexer, and from 
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the previous output value nil. If the clock ck is 0, then the latch simply outputs the negated value of nextv 
and continues on the remaining streams, setting the parameter nil to this value to remember it. Otherwise, 
if ck is 1, then the feedback loop is active and has to be evaluated until it stabilizes. This is done by the 
function nl'. It has as arguments the remaining input stream of the clock, the remaining input stream 
of the scan multiplexer, and the previous output value and the newly computed output value. If both of 
these values are the same, then the value of the wire n 1 has stabilized and hence can be output. The tail of 
the output stream is computed by again calling the function n 1 with the remaining streams for the clock 
and the scan multiplexer. Otherwise, the new output value (the last argument of nl') differs from the old 
output value (the penultimate argument of nl'). In that case, the new output value becomes the old output 
value and the new output is recomputed. This is repeated until eventually the output value stabilizes, or it 
will oscillate and never produce a stable output. 

Similar to the function nl, the function n2 computes stable values for the corresponding wire in 
Figure[TJ Again, the parameter nil is added to store a previously output value, and the auxiliary function n2' 
is used to compute a stable value for the feedback loop. The only difference to the function nl is that the 
cases of the clock are inverted, due to the additional inverter in Figure [T] that feeds the select input of the 
multiplexer that computes n2. Finally, the functions q and qn implement the two inverters that feed the 
corresponding output signals in Figure [T] 

The above specification is productive, since the TRS IZd U 1Z S can be proven context-sensitive terminat- 
ing, for example by the tool AProVE [6]. Hence, according to Theorem[l2| the specification is productive, 
meaning that every ground term of sort s rewrites to a constructor term. This especially holds for the ground 
terms t q = q(? n 2) and ? qn = qn(? q ), where t„2 = n2(rand, nl(rand, nexts(rand, rand, rand), nil), nil) and 
the variables nil and nil are instantiated with all possible combinations of and 1. Thus, the circuit 
produces an infinite stream of stable output values, regardless of its initial state and input streams, and 
does not oscillate infinitely long. This illustrates that productivity analysis can be used to prove stabi- 
lization of digital circuits with arbitrary input sequences, when encoding them as non-orthogonal proper 
specifications. 



6 Conclusions and Future Work 

We have presented a generalization of the productivity checking techniques in [ 14 ] (including the improve- 
ments of Q) to non-orthogonal specifications, which are able to represent non-deterministic systems. 
These naturally arise for example when abstracting away certain details of an implementation, such as the 
concrete sequence of input values. This was used to verify stabilization of hardware descriptions whose 
environment is left unspecified, as was demonstrated in Section [5J 

Our setting still imposes certain restrictions on the specifications that can be treated. The most severe 
restriction is the requirement of left-linear rules in the structure TRS 1Z S . Dropping this requirement 



however would make Theorem 12 unsound. Similarly, also the requirement that structure arguments of 



constructors must be variables cannot be dropped without losing soundness of Theorem 12 This require- 
ment however is not that severe in practice, since many specifications can be unfolded by introducing 
fresh symbols, as was presented in ll5l[T3Tl. 

In the future, it would be interesting to investigate whether transformations of non-orthogonal proper 
specifications, similar to those in lfl4l . can be defined. It is clear that rewriting of right-hand sides for 
example is not productivity-preserving for non-orthogonal specifications, since it only considers one 
possible reduction. However, it would be interesting to investigate whether for example narrowing of 
right-hand sides is productivity preserving, as it considers all possible reductions. 
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